Hybrid Analysis identified a VELVET CHOLLIMA-assessed infostealer operation distributing a signed Windows MSI that masquerades as the Tralert FX cryptocurrency trading application. The installer exposed live credentials and GitLab access tokens, revealing a multi-stage loader chain that uses GitLab repositories for payload delivery, scheduled-task persistence, and recurring exfiltration. The malware collects host reconnaissance, keylogs, and Chromium browser credentials, then pushes stolen data into GitLab repositories every 30 minutes for human triage of cryptocurrency-focused victims. The final payload is MoonPeak, a custom XenoRAT variant, with infrastructure including Tralert/Talert lure domains, GitLab projects, C2 hosts, mutexes, hashes, and the hardcoded C2 IP 91.107.246.107. The campaign matters because the exposed repositories showed active compromise, more than 4,100 commits, roughly 90 affected hosts, and an operational focus on crypto account takeover.